RegistryKeySet
The RegistryKeySet tag describes a set keys in the registry (Windows only).
Tag Attributes
These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.
Attribute | Description | Required | Default Value | Allowed Values |
base | Sets the base key of the RegistryKeySet. Everything else in the tag is relative to this key. The base must begin with one of the following registry branch names: HKEY_CLASSES_ROOT (or HKCR), HKEY_LOCAL_MACHINE (or HKLM), HKEY_USERS (or HKU), HKEY_CURRENT_CONFIG (or HKCC) |
Yes | N/A | String values resolving to syntactically valid registry key path |
Entity Set Attributes
These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules.
- Owner
- Group
- Permissions
- LastModified ("LastWriteTime" in Windows registry terminology)
- Class
- SecurityDescriptorSize
Short Hand Attributes
- STANDARD: Group, Owner, Permissions, LastModified
Meaning of "Key"
Registry Keys are stored hierarchically in the registry, much like directories in a file system. For the purpose of this language the "key path" to a key is considered to look like the path to a directory. For example the "key path" to the "Deep Security Agent" key of the Agent would be:
HKEY_LOCAL_MACHINE\SOFTWARE\Trend Micro\Deep Security Agent
The "key" value for includes and excludes for the RegistryValueSet is matched against the key path. This is a hierarchical pattern, with sections of the pattern separated by "/" matched against sections of the key path separated by "\".
Sub Elements
- Include
- Exclude
See About the Integrity Monitoring rules language for a general description of include for their allowed attributes and sub elements.